Michael Ford, an American employee of the US Embassy in London was sentenced earlier this week to 57 months in prison after pleading guilty to nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud. Ford sent phishing emails to thousands of people in which he posed as being from their email provider’s “account deletion” team. In the emails he represented that, for security purposes, if the recipients of the emails did not respond by providing their passwords, their email accounts would be deleted. Hundreds of people fell for the scam. Focusing on young women, particularly members of sororities and aspiring models, he used their passwords they provided to him to hack into their email accounts and steal nude photos that were stored there. Making things worse, he then sent emails to at least 75 of his victims in which he threatened to post the stolen photos on the Internet as well as send them to his victims’ families as well as escort websites if they did not obtain and send him nude photos and videos of other young women. When some of the women refused to give into his extortion demands, he followed through with his threat and posted their photos and videos on the Internet.
This case illustrates two significant issues. The first is one about which I am constantly commenting, but which cannot be mentioned too many times, namely, you should never provide personal information including passwords or user names in response to an email or a text message unless you have absolutely confirmed that the email or text message requesting the information is legitimate. In this case, a simple email or call to the email provider would have confirmed that the emails requesting passwords were phishing scams. The second issue involves storing of sensitive information, photos or videos. They should never be stored on email accounts which are relatively easily hacked. Wherever you store sensitive material, such as in the cloud, you should use dual factor authentication or take other security measures to make it more difficult for your information to be hacked.